Allows the supervisor to send a session's user to addon with header X-Remote-User (#88472)

* Working draft for x-remote-user * Adds comment * Submits user id instead of its name * Move lines out of try-catch block * Updates payload attribute * Removes unnecessary user data from user info API * revert changes
2023-08-22 10:14:21 +02:00 · 2023-08-22 10:14:21 +02:00 · 00b75ce58d
commit 00b75ce58d
parent 68e2809c36
2 changed files with 13 additions and 2 deletions
--- a/homeassistant/components/hassio/const.py
+++ b/homeassistant/components/hassio/const.py
@ -9,6 +9,7 @@ ATTR_ADMIN = "admin"
 ATTR_COMPRESSED = "compressed"
 ATTR_CONFIG = "config"
 ATTR_DATA = "data"
+ATTR_SESSION_DATA_USER_ID = "user_id"
 ATTR_DISCOVERY = "discovery"
 ATTR_ENABLE = "enable"
 ATTR_ENDPOINT = "endpoint"
--- a/homeassistant/components/hassio/websocket_api.py
+++ b/homeassistant/components/hassio/websocket_api.py
@ -22,6 +22,7 @@ from .const import (
    ATTR_ENDPOINT,
    ATTR_METHOD,
    ATTR_RESULT,
+    ATTR_SESSION_DATA_USER_ID,
    ATTR_TIMEOUT,
    ATTR_WS_EVENT,
    DOMAIN,
@ -115,12 +116,21 @@ async def websocket_supervisor_api(
    ):
        raise Unauthorized()
    supervisor: HassIO = hass.data[DOMAIN]
+
+    command = msg[ATTR_ENDPOINT]
+    payload = msg.get(ATTR_DATA, {})
+
+    if command == "/ingress/session":
+        # Send user ID on session creation, so the supervisor can correlate session tokens with users
+        # for every request that is authenticated with the given ingress session token.
+        payload[ATTR_SESSION_DATA_USER_ID] = connection.user.id
+
    try:
        result = await supervisor.send_command(
-            msg[ATTR_ENDPOINT],
+            command,
            method=msg[ATTR_METHOD],
            timeout=msg.get(ATTR_TIMEOUT, 10),
-            payload=msg.get(ATTR_DATA, {}),
+            payload=payload,
            source="core.websocket_api",
        )